| Summary: | <sys-libs/glibc-2.32-r8: multiple vulnerabilities (CVE-2020-27618, CVE-2021-3326) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.openwall.com/lists/oss-security/2021/01/27/3 | ||
| Whiteboard: | A3 [glsa+ cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 764176 | ||
|
Description
John Helmert III
2021-01-28 02:52:01 UTC
This will be in 2.33 which is out shortly but obviously we won't be stabling that for a while. CVE-2020-27618 (https://sourceware.org/bugzilla/show_bug.cgi?id=26224): The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228. Also fixed in 2.33. (In reply to John Helmert III (ajak) from comment #0) > CVE-2021-3326: > > The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and > earlier, when processing invalid input sequences in the ISO-2022-JP-3 > encoding, fails an assertion in the code path and aborts the program, > potentially resulting in a denial of service. > > Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=27256 > Patch: https://sourceware.org/pipermail/libc-alpha/2021-January/122058.html fixed in gentoo 2.32 branch, tag gentoo/glibc-2.32-7 (In reply to John Helmert III (ajak) from comment #2) > CVE-2020-27618 (https://sourceware.org/bugzilla/show_bug.cgi?id=26224): > > The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and > earlier, when processing invalid multi-byte input sequences in IBM1364, > IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input > state, which could lead to an infinite loop in applications, resulting in a > denial of service, a different vulnerability from CVE-2016-10228. > > > Also fixed in 2.33. fixed in gentoo 2.32 branch, tag gentoo/glibc-2.32-3 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d446edfec1019a14aa3d2bbdbdfb79845b053b0c commit d446edfec1019a14aa3d2bbdbdfb79845b053b0c Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2021-02-27 19:17:04 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2021-02-27 19:18:01 +0000 sys-libs/glibc: Bump to 2.32 patchlevel 8 Bug: https://bugs.gentoo.org/767718 Bug: https://bugs.gentoo.org/768366 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> sys-libs/glibc/Manifest | 1 + sys-libs/glibc/glibc-2.32-r8.ebuild | 1513 +++++++++++++++++++++++++++++++++++ 2 files changed, 1514 insertions(+) Thank you! Nothing to do for toolchain here anymore New request filed This issue was resolved and addressed in GLSA 202107-07 at https://security.gentoo.org/glsa/202107-07 by GLSA coordinator John Helmert III (ajak). |